White House: No Rush on Executive Order

The White House says it's not rushing to issue an executive order that would create a process to identify best IT security practices the mostly private owners of the nation's critical infrastructure could voluntarily adopt.

"The process of developing an executive order will take time, as we believe that it must take into account the views of our partners in the private sector and the Congress," White House spokeswoman Caitlin Hayden said in an Oct. 5 statement. "We have started reaching out to both the private sector and Congress and we look forward to gaining their input. Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly."

Anticipation that the executive order would be issued sooner than later has been building. In mid-September, President Obama's homeland security adviser, John Brennan, said the administration was considering issuing an executive order to secure the mostly privately-owned systems critical to the functioning of the United States' economy and society [see WH Moves Closer to Issuing Infosec Executive Order].

A few days later, at a Senate Homeland Security and Governmental Affairs Committee hearing, Homeland Security Secretary Janet Napolitano said the executive order is "still being drafted in the inter-agency process" and "is close to completion depending on a few issues that need to be resolved at the highest levels," according to a report.

GOP Warning

The White House statement comes days after several Republican senators wrote a letter to Obama, saying taking unilateral action would aggravate the existing divide among lawmakers [see GOP Senators Warn Obama on Executive Order].

Also on Oct. 5, one of the leading Republicans on cybersecurity, Rep. Michael McCaul of Texas, wrote to Obama, saying he shares the president's disappointment that the Senate failed to enact cybersecurity legislation but asked him not to issue an executive order. "Only through legislation passed by Congress can we effectively address the complex legal challenges surrounding this important issue," said McCaul, chairman of the Homeland Security Oversight and Investigations Subcommittee and co-founder of the House Cybersecurity Caucus.

The Obama administration began to consider issuing an executive order two months ago after the Senate blocked a vote on the Cybersecurity Act of 2012, a comprehensive IT security bill that would have established a process for the federal government and industry to develop jointly voluntary IT security standards. Nearly every Republican opposed that provision, saying it could lead to regulations that they oppose.

However, another sponsor of the bill, Republican Susan Collins of Maine, asked the president not to issue an executive order [see 'We Can't Wait' for Cybersecurity].

Executive Order No Substitute for Legislation

The White House statement was issued at about 5 p.m. Eastern Time on Friday, the beginning of a three-day Columbus Day holiday weekend, a favorite time for announcements by Democratic and Republican administrations that don't want to attract much attention to the news or distract from the message of the day.

In the statement, Hayden reiterated the administration's support for passage of comprehensive legislation to safeguard the nation's critical IT infrastructure, conceding getting the bill enacted this year remains tough: "The current prospects for a comprehensive bill are limited, and the risk is too great for the administration not to act. The president is determined to protect our nation against cyberthreats."

She said the executive order is one way to improve collaborative efforts to develop needed cyber protections. "However, an EO is not a substitute for new legislation," she said. "While an EO doesn't create new powers or authorities, it does set policy under existing law."

Most Republican lawmakers contend regulations or even voluntary standards would stifle innovation among critical infrastructure companies to create proper safeguards, adding that these corporations know best how to protect their IT systems and networks. Some Democrats, but far from all of them, favor some form of regulation, contending critical infrastructure systems are too vital to the nation's well-being to be left alone to private companies that might be more focused on the corporate bottom line than on the needs of American society. The language in the Cybersecurity Act and the possible executive order is seen by supporters as a compromise between government mandates and corporate freedom.

The administration doesn't reject the idea that the best ideas could come from those who operate the critical infrastructure IT. "We believe that companies driving cybersecurity innovations in their current practices and planned initiatives can help shape best practices across critical infrastructure," Hayden said. "Companies needing to upgrade their security would have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace. We remain committed to incorporating strong privacy and civil liberties protections into any initiative to secure our critical infrastructure."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.